Mercurial > mozreview > version-control-tools / changeset / c2ef0ae01407eb6305a5100a0fcc02f2b870811f
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ansible/hg-web: use nonce for script-src in CSP (bug 1333615); r?glob draft
authorGregory Szorc <gps@mozilla.com>
Wed, 05 Apr 2017 18:07:29 -0700
changeset 10767 c2ef0ae01407eb6305a5100a0fcc02f2b870811f
parent 10766 69f9132f9d41fc54004157540f4a3f93fc3980ae
push id1619
push userbmo:gps@mozilla.com
push dateTue, 11 Apr 2017 21:40:13 +0000
reviewersglob
bugs1333615
ansible/hg-web: use nonce for script-src in CSP (bug 1333615); r?glob We previously swapped in Mercurial's native CSP support while preserving existing behavior. This commit "upgrades" our CSP policy to replace "unsafe-inline" for script-src to use a nonce (which Mercurial generates when it sees the special "%nonce%" string in its CSP policy string). The test changes demonstrate a nonce being added to an inline <script>. Sadly, we don't verify the nonce in the header exactly matches what is in the body. Doing this in a .t test is a bit hard. In this case, I think we can trust that upstream Mercurial is doing the right thing. So I'm fine not explicitly testing this. FWIW, I did verify it manually. MozReview-Commit-ID: K5e1jpkqXaX
ansible/roles/hg-web/files/hgrc file | annotate | diff | comparison | revisions
hgserver/tests/test-csp.t file | annotate | diff | comparison | revisions 
--- a/ansible/roles/hg-web/files/hgrc
+++ b/ansible/roles/hg-web/files/hgrc
@@ -16,17 +16,17 @@ allow_archive = bz2 gz zip
 templates = /repo_local/mozilla/hg_templates/
 encoding = UTF-8
 baseurl = https://hg.mozilla.org/
 maxchanges = 20
 guessmime = True
 
 # bugzilla.mo is for l10n tool.
 # TODO find out URL for l10n tools needing this and restrict to that.
-csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
+csp = default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-%nonce%'; style-src 'self' 'unsafe-inline'
 
 # We don't allow pushes over HTTP. But if this isn't set, pushing to https://
 # prints a "SSL required" message because the load balancer terminates TLS
 # and Mercurial thinks SSL isn't being used.
 push_ssl = false
 
 # Pygments does content based analysis to determine the language for
 # unknown file extensions. Unfortunately, it is overly aggressive about
--- a/hgserver/tests/test-csp.t
+++ b/hgserver/tests/test-csp.t
@@ -4,19 +4,19 @@
   $ hgmoenv
 
   $ hgmo create-repo mozilla-central scm_level_3
   (recorded repository creation in replication log)
 
 CSP header should be present on normal HTTP requests
 
   $ http ${HGWEB_0_URL}mozilla-central/shortlog --header content-security-policy | grep script
-  content-security-policy: default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
+  content-security-policy: default-src 'none'; connect-src 'self' https://bugzilla.mozilla.org/; img-src 'self'; script-src 'self' 'nonce-*'; style-src 'self' 'unsafe-inline' (glob)
   <script type="text/javascript" src="/mozilla-central/static/mercurial.js"></script>
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="*"> (glob)
   </script>
 
 CSP header absent on protocol requests
 
   $ http ${HGWEB_0_URL}mozilla-central?cmd=capabilities --no-body --header content-security-policy
   200
 
 CSP header absent from Mercurial user agents
version-control-tools
Deployed from 4e825768105f at 2024-04-08T16:23:59Z.